evaluate impact of Let's Encrypt chain shortening
In this article from July 2023, let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
- On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.
- On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.
- On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.
So part of the transition has already happened, with a reduced chain for most certificates issued. This should already have impacted us.
We need to see what other impacts that has for us. In #32351, we've been hesitant at performing cipher changes for backwards compatibility concerns. According to this graph, we're talking about 5% of Android users affected here, for example. The compatibility page has a more detailed breakdown.
So basically the task is to evaluate the above table and see if we need to do anything special to any of our services.